First run

Install and start

Install the fd0 client on each machine that should hold secrets. The hosted service at fd0.sh is the default backend; self-hosted clients use the same binary with a different [sync].server.

Install the client

$ curl -fsSL https://fd0.sh/install | sh
$ fd0 version

The installer picks Linux or macOS, amd64 or arm64, verifies the release manifest with cosign when available, and writes fd0 plus fd0-agent to ~/.local/bin. Use --system to install into /usr/local/bin.

Update the client

$ fd0 update --check
$ fd0 update

fd0 update updates fd0 and fd0-agent from the latest client release. It verifies the archive checksum and uses cosign when available. If the agent is running, restart it after the update with fd0 agent restart.

Windows is not supported yet. The binaries cross-compile, but the agent socket path has not been validated on Windows.

Create a vault

$ fd0 init
$ fd0 unlock
$ fd0 scope create --label work
$ fd0 set API_TOKEN "secret-value" --scope work
$ fd0 sync

fd0 init creates your identity and seals the vault under a passphrase. fd0 unlock starts the agent. fd0 sync publishes encrypted events to the configured primary and pulls changes from other devices.

Configure another backend

$ mkdir -p ~/.fd0
$ cat >~/.fd0/config.toml <<'EOF'
[sync]
server = "https://fd0.example.com"
interval = "1h"
on_unlock = true
EOF